Wednesday, August 30, 2017

Will the Aadhaar Act Withstand a Constitutional Challenge?

Is it time to change tactics with regard to privacy and Aadhaar? It seems likely that the Act will be upheld as constitutional, when looked at whether it falls foul of our fundamental right to privacy.

Now that a bench of nine judges of the Supreme Court have decided, in the case ofJustice Puttaswamy v. Union of India, that Indians have a fundamental right to privacy, the next big question is whether the Supreme Court is going to strike down the Aadhaar Act for violating that right. This is going to be a closely watched case because privacy has been at the centre of the debate against Aadhaar.

Unlike other Aadhaar sceptics, I do not think privacy is the biggest problem with Aadhaar. In fact, given the prevalent situation in India, I would go as far to say that Aadhaar hardly worsens the privacy rights of the citizen vis-à-vis the state. As things stand today, the bureaucracy and police can enter your house to conduct search and seizure, on the pretext of curbing tax evasion, money laundering or copyright infringement without requiring search warrants from judges. In the context of income tax raids, this used to mean that an officer at the level of principal commissioner could sanction raids. The Finance Act, 2017, has diluted even this perfunctory safeguard to allow even director level officers to sanction raids, leading to concerns of a ‘raid raj’.

Surprisingly, the entire public discourse on the privacy issue has revolved around the issue of “data” and “information”. Given the nature of privacy, it is necessary to strive for poorna privacy rather than seek some half-baked measures to protect our data while turning a blind eye to the state storming into our houses without even the fig leaf of a judicial warrant. The silence of the privacy debate on this issue is intriguing since the Modi government, like its predecessors in the Congress, has used the Income Tax Department & Enforcement Directorate as its instrument of choice to intimidate the opposition and the media .

The argument about bodily integrity

Regarding the issue of the Aadhaar Act and whether it falls foul of the fundamental right to privacy as outlined in the Puttaswamy case, the petitioners are likely to take three main arguments.

The first argument is likely that the act of collecting fingerprints and iris scans of citizens, violates their bodily integrity. Senior advocate Shyam Divan has reportedly argued before the court: “My fingerprints and iris are my own. As far as I am concerned, the state cannot take away my body”. In his written submissions, he reportedly stated, “A statutory provision that completely takes away the voluntary nature of Aadhaar and compels expropriation of a person’s finger prints and iris scan is per se violative of Article 21. In any event, such coercion cannot be imposed on legitimate tax payers and assessees who are otherwise willing to and pay income tax. There is no concept of eminent domain of the state qua a person and his body.” As per Divan’s line of argument, the action of collecting these fingerprints and iris scans is violating a citizen’s bodily integrity.

The Supreme Court, in Puttaswamy v. Union of India, has held that the fundamental right to privacy extends to preserving bodily integrity.

However, the problem with Divan’s argument is that he misunderstands the nature of the technology. A biometric scan of a fingerprint or the iris is nothing but a high-quality photograph that can be used by a computer program to identify a person according to some unique markers. The state is not “expropriating” any part of the body. Very soon, the state will be able to use similar technology to identify people according to their facial photographs. China is already doing it and Facebook’s facial recognition technology is astoundingly accurate.

The natural consequence of accepting Divan’s argument against biometric scans is that even a facial photograph will have to be held as violating a citizen’s bodily integrity. That is a prima facie absurd outcome.

Ignoring for a minute the consequentialist line of reasoning and tackling the issue from the perspective of the bodily integrity argument, I would argue that the bodily integrity argument is premised on coercive actions of the state wherein the law prevents a citizen from controlling their body and its functions. Abortion rights and strip searches fall within the class of acts that would violate bodily integrity. High quality photographs of either fingerprints or the face do not violate the bodily integrity of citizens as they do not involve either entering the human body or stopping its movements.

Informational privacy

The second likely argument that will be made by the petitioners is that the Aadhaar Act violated the right to informational self-determination or informational privacy, a right specifically identified and endorsed by the Supreme Court in the Puttaswamycase. As explained by Justice Chandrachud, “Informational control empowers the individual to use privacy as a shield to retain personal control over information pertaining to the person”. As per his opinion, information can be collected subject to three conditions: One, there should be a law authorising the collection of evidence; two, the aim of the law for which information is being collected is reasonable and three, the final condition requires “the means which are adopted by the legislature are proportional to the object and needs sought to be fulfilled by the law”.

Let’s start with the first condition – there should be a law. Although the Aadhaar program initially proceeded without sanction from the parliament, a legislation called the Aadhaar (Targeted Delivery of Financial & Other Subsidies, Benefits and Services) Act, 2016 was enacted by the parliament. The tactics adopted by the government to pass the law as a money bill are questionable and the legality of that issue is a topic for a separate discussion.

The second and third condition requires that the aim of the law for which information is being collected is reasonable and that the means adopted are proportional. To this end, Section 7 of the Act limits the purposes for which Aadhaar can be mandatorily used, to only a “receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India”. This falls clearly within the legitimate interests of the state as articulated by Justice Chandrachud in his opinion in the Puttaswamy case where he states, “There is a vital state interest in ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients”.

It is a different matter that the government is issuing all kinds of silly notifications making Aadhaar mandatory under different laws. While Section 57 allows the state or private corporations to require Aadhaar authentication pursuant to any law or contract, the only reasonable interpretation of Section 57 is that nobody can mandatorily prescribe Aadhaar pursuant to this provision, since the power to make Aadhaar mandatory exists only in Section 7. All those other notifications are just waiting to be quashed by high courts.

Separate from the above issues, the most important aspect of informational privacy, as understood in other countries, is that citizens know what exactly is happening with their information. Three provisions of the Aadhaar Act, apart from Section 7, are of particular importance in this regard, since they reflect the central principles of informational privacy as outlined by German courts and subsequently incorporated into the EU Data Protection Directive that is widely accepted as the highest standard of data protection in the world. The relevant provisions in this regard are Sections 3, 28 and 29.

Section 3 of the Aadhaar Act requires the enrolling agency to inform all individuals of the manner in which the information shall be used, the nature of recipients with whom the information is intended to be shared during authentication and the existence of a right to access information records stored with the UIDAI. These principles basically align with the European principles of data protection requiring the citizen to be informed about how their data is to be used by the data collection agency. The only problem with Section 3 is that the regulations drafted by the UIDAI do a poor job of implementing the legislative mandate in Section 3. That, however, is a ground for challenging the constitutionality of the regulations, not the parent legislation.

Sections 28 and 29 of the same legislation guarantee the confidentiality of all the information collected by the UIDAI and prohibits the authority from either sharing the information with any other person or using it for “for any purpose, other than that specified to the individual at the time of submitting any identity information for authentication”.

In sum, the above provisions ensure that the information is collected with consent, is kept confidential and the person will have the right to access their data.

The threat of the surveillance state

The most forceful privacy argument made against Aadhaar is that it will enable the state to mount 360-degree surveillance on a citizen. I think the state already does that through surveillance of our communications and financial records. I doubt whether Aadhaar can provide any more useful information to the state especially since Aadhaar’s design ensures that the UIDAI lacks the details of transactions conducted with the agency requesting authentication, i.e., if a person conducts a financial transaction at the bank and the bank authenticates the identity of the person, the UIDAI will know only the identity of the requesting agency and not details of the financial transaction per se.

In any case, it is important to understand that even from a surveillance perspective, as per Section 33 of the Aadhaar Act, only the joint secretary can request information from the UIDAI. The joint secretary’s orders can then be reviewed by an oversight committee of senior bureaucrats.

Frankly speaking, this is a hopeless mechanism to ensure accountability because it keeps everything “in-house” but unfortunately it is the Supreme Court which created this framework in the context of phone-tapping in the People’s Union Of Civil Liberties vs Union Of India case. So, it seems unlikely that the Supreme Court will now strike down this mechanism as unconstitutional.

Stronger privacy rights and a tempered Aadhaar program require political and not judicial intervention

One of the rather amazing aspects of the anti-Aadhaar debate is how the privacy concerns being voiced by a relatively small section of the NGO elite has got so much more attention in the media than all the other Aadhaar related issues combined. Since when did privacy become a more important issue than people going hungry because of technological glitches? Perhaps, positioning the challenge as a privacy issue was a strategic call because it would get the attention of the middle class and by extension, the judges of the higher judiciary. But notwithstanding the victory before the nine judges, there is a high probability that the court will uphold the constitutionality of the Aadhaar Act because the privacy argument is a weak one.

Presuming that privacy was always the main concern, I fail to understand how scrapping of Aadhaar will in any way ensure stronger privacy for us when the state can literally barge into your house on the grounds of tax evasion.

If we truly want an effective privacy regime, we need to accept the limitations of judicial review and work towards a political solution that forces the parliament to enact legislation requiring the state’s agents to procure judicial warrants before conducting raids or surveillance and reforming Indian evidence laws to import into the Evidence Act, the ‘fruits of the poisonous tree’ doctrine that automatically disbars evidence got through illegal means. Privacy is the slave of “procedural law” and only the parliament can and should prescribe reasonable procedure, not the judiciary.